Why I Left LastPass for 1Password

1) We can now access most of our private, confidential information online (bank accounts, email, and social networks), and

2) We’re lazy.

I’m not trying to make anyone feel bad with that last point. I’m really lazy, too. For years, I used only a few passwords and rarely changed them. It doesn’t take a long explanation to illustrate how dangerous that can be. If someone figures out your Facebook password and you use the same password for your email, the intruder can now log into your email and reset passwords for things like your online banking. And if you’ve ever wondered how embarrassing emails from politicians and celebrities end up getting exposed online, this is how it’s usually done.

A few years ago, I started using LastPass to manage my passwords, and it dramatically improved my online security. Password management software like LastPass lets you generate complicated, random passwords for each website you visit, and all you need to do is remember a single main password to access all of them.

While I love the idea behind LastPass, I haven’t been entirely comfortable with its execution. I made the switch to 1Password when it became available for Windows last year, and I’ll explain why it is a great idea, if you haven’t already done so.

1Password vs. LastPass

Although it wasn’t available for Windows until 2010, Mac users have been familiar with 1Password for quite a while. This award-winning password management lets you create strong, unique passwords, and locks them with a master password so you only need to remember a single password. Unlike LastPass, 1Password doesn’t have a free version, so why would I want to switch?

1Password lets me store my passwords locally

One of LastPass’s best features is that it stores your passwords online, so you can access them from anywhere by logging into your LastPass account. But even with amazing security, I could never feel completely secure leaving all my passwords in someone else’s hands, which is one of the biggest reasons why I switched to 1Password.

I’m braver than most technically inclined people I know, partly because I spend so much time using new technology that I have built up some sort of mental callus to its inherent risk, and party because I want to believe that most of these companies aren’t looking to screw over their users. But my paranoid tech-savvy friends aren’t wrong – we’ve seen countless examples of how companies have sold their customer’s private data for personal gain. And even if the company is 100% ethical, all it takes is for an unethical giant to buy them out and make dramatic changes to their privacy policies.

With 1Password, I can store my passwords locally on my computer so I never have to worry about a hacker breaking into a massive storage server somewhere in the world and potentially getting my information. This means I also need to be careful with how I store this information, but since 1Password encrypts everything it makes it pretty easy to keep your passwords safe. I love having total control over my data.

What if you need to access your passwords on multiple computers? This is a very realistic problem for almost all of us, and there are a few easy solutions with 1Password. You can use Dropbox, a super-easy file sharing program, to keep your passwords synced across multiple computers. And if you don’t feel comfortable doing that, you can simply save your 1Password files to a USB flash drive or portable hard drive to always have them handy.

Great browser integration with hotkeys

This might seem a bit fickle, but I don’t think I could really get in the habit of using password management software that didn’t have an easy way to access my passwords and automatically insert them into my browser. 1Password has great browser plugins for Firefox, Chrome, and Internet Explorer, so I can log into my accounts effortlessly.

The best way to access your 1Password passwords in a browser is to use the hotkey CTRL + \. When you press this key combination, a window will automatically appear prompting you to unlock your 1Password data, and after doing that you’ll see a list of any accounts available for the website you’re viewing.

1Password’s Chrome Plugin

When creating an account on any website, you should always use a unique, complex password. 1Password makes this very easy with their Generator option, where you can pick the password’s length and complexity. Since you don’t have to memorize it, why not make it as complicated as possible?

1Password’s Password Generator

One of my favorite features of 1Password’s password generator is its Pronounceable option. This lets you create a password that is easily pronounced phonetically (and thus easier to remember), which is great for using services like Twitter when you need to log into mobile apps.

If you accidentally reveal this to anybody, you can just convince them it’s the language you speak to your spirit animal in.

I’d rather pay for important software I’ll use every day

First off, LastPass does have a premium version that gives you access to mobile apps and better features. But it’s a subscription-based service, so this means you’ll have to keep paying for it as long as you want access to these features. If you ask me, I’m subscribed to way more services than I already want to be (Netflix, Audible, my mobile phone plan), and I really don’t feel like adding another monthly subscription.

1Password costs $49.99 (for Windows) which you pay once to completely own the software and receive all updates. And you know what? It’s completely worth it.

I use the same logic when explaining why it makes sense to pay for your operating system – this is software you’ll use every day, it will improve your life (I’m guessing you would be negatively affected if someone hacked your bank account because you were using insecure passwords), and its price is validated by 1Password’s high quality. I pride myself on supporting things I enjoy and improve my life, and I’d rather use the buy-it-once 1Password than a free version of LastPass.

1Password also has apps for Android, iPhone/iPod touch, and iPad, so you can always access your passwords on-the-go. The 1Password mobile apps also support Dropbox, making it easy to keep your passwords synchronized on your mobile device.

I like the ideal a local storage of my passwords as well. I wouldn’t feel secure letting someone else manage the keys to my domain!

NeonCollie

I’ve been using LastPass for quite a while now. I feel very comfortable using it, although I would feel much more comfortable knowing my information was stored locally on my own computer. I’d really like to see how 1Password compares. I really enjoy your tech articles. Thanks!

Awesome article as ever would love a copy of 1password as I like yourself do not trust online services.

Cheers!

Zack

Sweet

Ioiosotwig

Sounds good…

Casual Observation

I hear what you’re saying about online repositories. I tell my clients that if they can get into the gov’t they can get the data. And the more there is in one place, the bigger the target on the back.

Rhbanagale

That is a great tool that most Internet users must have. Currently I am using Keepass but lacks browser integration. Nice to have one like this!

anna

keepass actually does do browser integration – on Linux at least (with keepassx), I press Super+s (a hotkey I chose) and forms are auto-filled with my username and password. You can even customize what gets typed by putting macros in the comments field.

You can set this up in Settings -> Advanced.

For my part, I would rather software I use every day be open source, whether I pay for it or not. keepass is open source, so we can audit just how secure it is. I don’t trust my passwords to code I can’t see.

max

anna is correct; Keepass has had browser integration for years.

Also strongly agree with the open source concept when it comes to encryption. There’s nothing in this article that would indicate 1Password is in any way superior to Keepass.

I was amused by the author’s notion that Dropbox files exist in the cloud, but
you think that you have complete control over them. And then I was more
amused by the suggestion put your encrypted password file into a TrueCrypt container so that you can access it via Dropbox. Yeah, that’s convenient. If you need TrueCrypt, it sound like it’s not just Dropbox you don’t trust, but 1Password.

No disrespect to Keepass, but having been a KP user, my experience is that its browser integration doesn’t hold a candle to LastPass. For example, LP auto-detects when you’re changing a password or creating a new account and offers to auto-generate a new password for you.

NIBB

What anna said is correct. You can auto type with KeePass for years, and its very easy to setup. Since it’s interaction is executed by the user side, and not the browser (extensions) its safer by nature.

What you said about LP detecting changing passwords, then you are doing it wrong !!!

If you are changing the passwords in the website, and LP detects this changes and updates with the new information that means you are updating the passwords in the account website which means you probably updated it with a non secure password. Why? Because most accounts don’t have a random pass generator, and the ones that do are actually flawed to produce something strong enough. I rather trust the password generator on a software like KessPass or LastPass better. If you are updating the password on a website that are not random, then why even use a something like LastPass in the first place.

So if you do it correctly, then you are actually generating the random password from the source database, this means LP or KeePass or what ever you use to store logins, then updating that in the website manually. This is the safe way to do it, because if for what ever reason your source does not detect the change, like LP does sometimes, you could be potentially locked out. Some sites will log you out, and if you don’t have an historic record you basically just locked yourself out as you cannot remember the random password used and its not saved in your original database either.

So you are doing it wrong. You have to generate the random password from your Password Manager, then update it in the website manually. In that case what you mentioned as a benefit is nulled. Someone does not need KeePass to detect the password change at all and most probably don’t even want something like that.

Actually that feature alone is something which means your browser is connected to your password database, this is insecure. LastPass is tightly connected with your browser and there are hacking concepts which can retrieve users password by exploiting something in the browser. All someone needs to do is hack some extension or create a malicious website or something else attacking your browser (they have vulnerabilities discovered every week) and LastPass will dump the logins.

What is the point of using a password manager if you are connecting it to the vector of attack? Your browser is the potential gateway to your attacks, just like email. Browsing is the risk, so if you have your password manager connected with your browser, then you are doing it again, wrong.

With KeePass assuming you don’t use plugins, this is not possible. Same with 1Password or other local password managers. They are not connected to the browser so they are by nature safer. You are giving up security for functionality with LastPass. The reason LP detects your password changes and can auto fill them should ring a bell on how secure it actually is. Most people are sold exactly by LastPass because of this, auto fill and this is are exactly the weakest points of the products, which where attacked before and are going to be attacked in the future.

Also, having all accounts connected to central servers on a centralized company means its a honeypot for hackers. It’s a high value target, this is different from hackers attacking million of different systems (you or others), they only have to attack one cloud provider then concentrate on the users they want since now they have a list and LastPass has a list assuming you paid them, they do have your data linked to an account. You are actually putting yourself at more risk by having them shared with millions of other LP customers. Do you trust a company so much? Maybe, but what about their employees? LastPass will never be hacked because it encryption failed, but because a human failed.

No disrespect to Keepass, but having been a KP user, my experience is that its browser integration doesn’t hold a candle to LastPass. For example, LP auto-detects when you’re changing a password or creating a new account and offers to auto-generate a new password for you.

Im_n0t_0v3r

One other thing of note, it has better IPAD support than Roboform or Lastpass IMHO. The 1Password is made for the full screen. not an Iphone app that is made compatible like Roboform.

I’ve been a long time 1Password user (and fan). I now have my passwords automatically sync and accessible on Windows, Mac, Android, iPhone, and iPad. I couldn’t be happier. Each password I use is random (12 – 16 characters) and never re-used; I love it when my security criteria outshines that of a bank or other financial website.. I actually have family licenses, so my family can benefit as well.

I’ve been using 1Password for about 6 months and I am extremely happy with it. My freelancer side loves the fact that I can manage not only my own logins but my client’s logins as well, without compromising their security. My UX designer side loves the sleek and elegant design. I would love to win a free copy so I can give it to my girlfriend. No luck trying to get her to buy it.

Lbrand10

Good article can’t wait to get my hands on a copy.

Anonymous

Good writeup for 1Password, thanks.

Richard

I’m a long time user of KeePassX. I am interesting in seeing how 1Password compares

Ryan

I love 1Password on the Mac and would really enjoy having the Windows version as well.

I hope I win. I could really use 1Password since I am a daily internet user!

Matte

I actually changed from LastPass to 1Password when I bought my first Mac and have been using it ever since. If course I could live without it but it’s so worth the prize I paid for the license. Hoping to lay my hands on a Windows license as well. 🙂

Techwish

Wooohooo…Sounds better than sliced bread

Kshellborn

Next to a browser, 1Password is my most used app. I just bought a second macbook and would love to have another version for that.

Anonymous

1Password is the bomb! My buddy has it and it is definitely the way to keep secure online

I’ve tried 1password, but couldn’t afford to buy it. I’m waiting for a promotion to have the possibility to acquire this amazing password manager.
I love the way it integrates between different OS’es and mobile platforms.
It’s perfect. I hope I win the free copy, so I can finally start using it.

FYI, the iPhone/iPod Touch and iPad version of 1Password isn’t free and its on top of the desktop application purchase. Consider you’ll probably use this daily then its all worth it. Hope I win the free copy so I can get the iOS version.

jeremy

I want one!

sabrewulf

I couldn’t agree more with this article as far as using different passwords and making sure they’re strong. I used to keep all my logins in a text file and saved in Dropbox. Primitive compared to 1Password and the ease of use and vast options. I would love to be able to get my wife her own copy.

By using 1Password, should we give up the option to use a random computer without any special equipment ?
May the luck be with me ! 😉

Savelyev Andrey

1password it’s cool app =)

Ray

I use 1Password on my mac (demo-version) and I absolutely love it. No more one simple passwords on all my accounts (gmail, twitter, facebook, …) but Real Passwords which I don’t know and can not remember. And no more forgetting accounts and passwords of sites I don’t visit very often. Even better: no more writing down passwords. Just because 1Password is so easy to use.

Julio

Nice article, thinking to switch to 1password if i could try it.. lets see, hope i win! thanks

Evan, I appreciate the article, and I’m curious how you see a difference between lastpass storing your passwords in the cloud and dropbox being used as a middleman for sharing your 1password file between computers?

That’s a great question, and is one of the criticisms I heard from colleagues who originally expressed concern over storing passwords in the cloud with LastPass.

Simply put: there will always be inherent risk in storing data anywhere, and my Dropbox files are indeed on a server that I don’t own. I find Dropbox is an acceptable risk because I still retain control of my individually encrypted 1Password files, and I can easily create a hidden, encrypted TrueCrypt partition on my Dropbox to further harden its security.

Although very secure, encrypting the encrypted encryption may be a little unnecessary.

AbbaDabba

I think you’re not entirely correct about LastPass…. I use the YubiKey as a validator for my LastPass valut which encrypts my passwords with an unbelievably long password. Nobody will happen upon it and nobody should be able to break it. Secondly, eveything is encrypted BEFORE it is sent to LastPass, so even if someone gets their database, its only my local client that does the decryption. Steve Gibson has given LastPass a complete review and he thinks it is a safe and reliable model. You get the benefit of having your password anywhere without having to fool with dropbox.

Fred

Man this was really funny. You left lastpass for 1password because “you don’t feel secure leaving your password in somebody else’s hands” and then you leave all your passwords on dropbox?
LOL
For me lastpass is the winner hands down. I would like to see better safari integration though

I’ve used LastPass for 2 years prior to switching to 1Password, so I certainly understand why you like it.

The nice thing about keeping my own encrypted password files on LastPass is twofold: I arguably have complete control over those files, and if I’m concerned about security (even though they’re already encrypted), I can simply use TrueCrypt to create an encrypted partition.

Except that you already stored it in dropbox without truecrypt so someone could use the previous version or undelete features of dropbox to get the one not TrueCrypt’d. Also, you don’t get “All Updates” from 1Password. From the time that I initially bought it they have requested a full upgrade price twice. When I complained the first time I had to pay to upgrade I was basically told that I needed to get over it, this is the cost of doing business with AgileBits. With the current upgrade pricing hitting again I am going the other direction from 1Password to LastPass and I would suggest all users do the same. AgileBits is proving to be a money grubbing company.

Dave

Yeah! How dare they ask you to pay a modest price for hours and hours of hard work, dedication & ingenuity. It’s almost sounds like they’re going to use that money and feed their families! Those greedy bastards!

Get over yourself dude, paying to upgrade is the cost of doing business with ANY good company that wants to actually stay around for any longer than a year or so before “hoping” to be noticed and acquired by Google (or some other tech giant). When a couple years go by and LastPass has been “sunset”, or is just plain out of business, you’ll go running back to AgileBits.

After posting this a troll replied to my comment with a libelous message about my own business (hardly the subject matter at hand) while hiding behind the anonymity of the name “Dave.” He suggests that paying upgrades nearly every year at $10 off of the full price per device (mac, windows, iPad/iPhone) is the cost of doing business with any “good” company in order for them to feed their families. If that is the case, then there are a lot of companies doing a really bad job of making money out there.

“Dave”, if thats really your name, I do hope you are not the Dave that works at AgileBits. That would be extremely tacky. And I would hardly call $10 off a “modest” price for upgrades.

Afhavemann

I’ve been playing with 1Password for a couple of weeks now, using it with the addition of my Yubikey security device http://www.yubico.com/yubikey. Yubikey is a hardware (USB) device that stores up to 2 passwords.

The 1Password interface suites me better than LastPass (I have a premium account) and I especially like the ability to keep my file locally, this lets me use complex passwords offline.

Now normally I wouldn’t want to keep the password file local but I’m too lazy and too old to remember highly complex passwords so if I didn’t have the Yubikey I’d use a passphrase of some sort that might become vulnerable to a rainbow attack if someone knows what their doing.

1Password encryption is very solid if the password is complex enough and the 64 character randomly generated, total garbage-line password stored on the Yubikey takes care of that chore.
I paid the $50.00 for a pair of Yubikeys and programmed both with the same 64 character randomly generated password.

One of the Yubikeys is stored in my safe deposit box (with a printed copy of the password, just in case), the other I carry with me. As a bit of additional security I program the first Yubikey password as a dummy for some unimportant sites and use the second to access the 1Password file where the really important stuff resides.

With a Yubikey, quickly pressing the button injects the first password, holding the button for 2+ seconds and releasing injects the second. A worm capturing keyboard input might capture either password, but using the second password requires access to the 1Password file, and since I store the file locally capturing the password is a waste of time.

I could have even greater security by using challenge-response or even single use passwords, but I’m comfortable with the level I now have in place, it would take an unlikely event for the password, file and knowledge of use to all come together.

1Password & LastPass are both pretty equal in that both provide essentially the same security, however LastPass is a subscription service that I have to pay every year while 1Password is a one-time purchase and gives me the advantage of storing the file locally.

Having both a Yubikey and 1Password is not inexpensive, the pair cost $70.00 (includes Yubikey shipping) but, in my opinion, that’s a reasonable price to pay for high grade security.

You might argue that this isn’t important to you, but they are not the same.

Ch1ll1man

Your article is a contradiction!

You say that you like the fact 1Password stores the data locally right? Good I like that too. Then you go on to say that to sync you should go ahead and use Dropbox – errmm that means it’s no longer local!

Dropbox and Lastpass both use encryption techniques to store your data in the cloud, so by bringing in Dropbox you’re right back where you started – but with a cost added…

Me myself – I use Keepassx and an IronKey

Sajan Shetty

dropbox is free

Jan

As can be seen in the link below, 1Password upgrades are not free, so I’d rather stick to LastPass free. 1Password may have a better interface, but LastPass is free and does an excellent job. Using the LastPass bookmarklets in iPhone’s native Safari browser is a breeze, and doesn’t require a premium subscription. http://help.agilebits.com/1Password3/howto_upgrade_license.html

Anonymous

1Password is more Mac-centric than Windows-centric. And their Android app is in beta. LastPass has a lot more options than 1Password and it uses 256bit encryption instead of 128bit like 1Password does. In comparing the two, LastPass seems like the better app to me, but I do agree I’m not a big fan of the monthly fee (even though it is only a buck).

Joshua Chia

Supposedly, LastPass doesn’t keep a copy of your master password. They only store your password data encrypted with your master password, so as far as extracting your paswords, the copy they store is useless to them or an attacker unless the master password is also available (or easily guessible).

If you need password access only on one computer, and you can be sure of not losing data on that computer, I suppose 1Password is fine. If you do need to access your passwords from multiple computers, LastPass is no more dangerous than what you suggested, using Dropbox to sync your password data across computers, unless you somehow trust Dropbox more than LastPass.

Using USB flash drives to move your password data around is maybe fine, too, but because they are small, it may be easy to lose them (together with your password data). If you end up putting multiple copies on multiple devices to guard against data loss, it seems risky as well.

The biggest drawback I see with LastPass is that it’s not open-source, so it’s harder to verify that the software behaves the way they claim it does.

Dom

I using LastPass and I’m very satisfied, I tried also 1Password, except slightly better look – work exactly in the same way, so imho I doesn’t see any reason to PAY for the same features, overpriced 1password is not a winner here, compare all features – and then you will see the differences (LastPass support all browsers and more devices etc..) ….

Spending cash for software with THE SAME FEATURES or less – is very irrationally and childish, sorry.
I will be using LastPass with pleasure.

Ronald McDade

I would be very pleased if i got to wn a free copy of 1Password!!! i have over 57 accounts that have built up over the years and it is becoming very frusturating having to write them all down, not to mention if that paper even stays in one place. It could get lost in the house somewhere for all i know. I hear using 1pass lets you organize all you passwords by 1 master password! That would be geat! No more hassle with pens and papers (or word documents)!! If there is still a copy out there, enter me for a win!

Robert K

Just out of curiosity, considering your computer is connected to the internet, wouldn’t it be easier for a hacker to get into your machine as opposed to getting into a purpose built server which lastpass would be using?

I mean I understand the probably wouldn’t target you as much as they would target these companies but these companies have a vested interest to ensure your information is safe. It would make or break a company.

I’d rather trust a large company to take responsibility for my passwords than rely on the weak security of my computer.

donnatravelling

Love this post! I, too, would rather keep my passwords local. thanks for taking the time to share.

I disagree. As you mentioned yourself, the passwords in lastpass are encrypted. Only you can dycrypt them since only you have the master password. So what if the lastpass server is hacked? The hacker would still need my master password (that he doesn’t have) to decrypt the file he hacked. As long as the encryption algorithm is sound (and it is in this case, AES,
approved by NSA to protect classified US govt information), there is no chance in hell the hacker can brute force my long /complicated master password in a few thousand years, even with a super computer.

Secondly, you said you feel more secure with passwords on your local computer. Isn’t your “local” computer also connected to the internet? It’s not really that “local” if it has internet connection. It’s probably less secure and hackable than any server on the Internet.

Anonymous

I just installed lastpass today (after my msn password has been hacked:-) and i’m changing all my very old and weak passwords… Although it’s a great free app, i also feel this concern of having all my passwords stored somewhere out of my control.
1Password + dropbox sync seems a nice solution.

The great thing about lastpass is that I use it in Google Chrome, which we also have at work. We can’t install third party software at work (unless it’s a portable version), so having the LastPass extension in Chrome at work is pretty relax. I open it and log in with my YubiKey and I have all my passwords ready to go. Storing them locally, syncing with Dropbox or using a USB thumbdrive for it seems a bit of a hassle. Password security is important, but if someone really wants YOUR data, they will get it any way, so if having it stored online is easier & faster for me, that’s the winner.

How is storing in the cloud with LastPass and storing a local keyfile on DropBox any different? In both cases, only you have access to the raw data. You say, “you control what’s on DropBox,” but that’s just as true with LastPass as with DropBox. I control the contents of my keyfile. The fact that, with DropBox, I can physically delete the file, whereas with LastPass, I can only delete all the passwords in the file, seems moot.

Jfaywil

I’ve only been using LastPass for a short time, and cannot find a solution to a problem that affects its ability to generate and save passwords. Thanks for your detailed explanation of 1Password. I’m going to make the switch.

Netbob

Great article. I’ve been using the premium version of Lastpass for a couple months and I like it along with a Yubikey. Love this device. One thing that kinda bugs me is the online storage of passwords. I will definitely try 1password. I recently had to sign on to my online vons.com site from a store pc and could not access my account because, 1. I couldn’t load the lastpass plugins and (duh) 2. I didn’t have my yubikey. Doh. Does 1password have better capabilities to handle this situation?
Thanks again for a great article.

But syncing 1password by dropbox is just as storing ur encrypted data on lastpass server, since dropbox doesn’t use CSE.

wdr

Keepass is a great, free (beer and freedom) piece of software that I’d be using if I wanted only local storage. I used it for years before opting for the ease of use provided by a password manager with integrated cloud storage. Especially since dropbox actually uses server side encryption 🙂

Boyd2742

I also like the idea of local storage only of my very important passwords. If passwords are stored on a company’s servers, it takes only 1 dishonest employee to cause all kinds of trouble.

Boyd2742

I also like the idea of local storage only of my very important passwords. If passwords are stored on a company’s servers, it takes only 1 dishonest employee to cause all kinds of trouble.

This post is also misleading in suggesting that the people at LastPass could get access to your private passwords. They can’t; it’s a one way encryption.

Boardwalk

Timely article. Recently assumed responsibilities for my 87 year-old mother’s accounts & the security issue has really been bugging me. Researching options for password management has consumed quite a bit of my time lately & I still haven’t committed. Your trepidation, free vs. pay, good vs. better(best), & who really has the goods under control, is very similar to my conundrum.

Anonymous

Why not check out KeePass. It’s open source, free and appears to do everything 1Password does.

Anonymous

Why not check out KeePass. It’s open source, free and appears to do everything 1Password does.

Putting your password file up on dropbox really seems a lot less secure than using LastPass. And using Truecrypt or some other encryption device means that you would need to be able to unencrypt the file when you are remote – which is kind of improbable. Lastpass encrypts your data with YOUR password as the key – making it inaccessible to whomever gets hold of the data in the future. And finally, I would suggest that your home computer is a lot less secure than Lastpass servers – generally speaking. In fact, most end-users don’t even have AV software installed on their computers making them a wonderful place to be storing a list of passwords. For me, it seems both solutions are equally secure if you are using a strong password for encrypting the data. Then, Lastpass just seems easier to access when not at my own computer or on my mobile.

bayer

1password doesn’t support basic features like standard HTTP authentication, so it’s useless software for many people.

Erikrichter

LastPass work on Win, OSX, and Linux

Randy S.

Security breach
On Tuesday, May 3, 2011, LastPass discovered an anomaly in their incoming network traffic, and then another, similar anomaly in their outgoing traffic.[10] Administrators found none of the hallmarks of a classic security breach (for example, database logs showed no evidence of a non-administrator user being elevated to administrator privileges), but neither could they determine the root cause of the anomalies. Furthermore, given the size of the anomalies, it is theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass decommissioned the “breached” servers so they could be rebuilt, and on May 4, 2011, they requested all users to change their master password. However, the resulting user traffic overwhelmed the login servers and, temporarily, administrators were asking users to refrain from changing their password until further notice, having judged that the possibility of the passwords themselves being compromised to be trivially small. LastPass also stated that while there was no direct evidence any customer information was directly compromised, they preferred to err on the side of caution.[11] There have been no verified reports of customer data loss or password leaks since these precautions were taken. In comment 6, Joe Siegrist committed to a third-party audit, saying one “is certainly prudent”, however no audit results have been published to date.
[edit] XSS vulnerability
In February of 2011, a Cross Site Scripting (XSS) security hole was discovered, responsibly reported by security researcher Mike Cardwell, and closed within hours.[12] It was mild enough to be considered low risk, and a log search showed no evidence of exploitation (other than by Cardwell) however in addition to closing the hole, LastPass took additional steps order to further improve security, including implementing HTTP Strict Transport Security (HSTS), as Cardwell had suggested, implementing X-Frame-Options, and a Content Security Policy-like system in order to provide defense in depth.[12] [13]

javier

save local passwords…. to access what? all is in internet this days.

Bovus

There are other differences, but LastPass’s two-factor authentication is a significant security advantage over 1Password.

Hi guys,
I just thought of this article. I have been using msecure for a while and I switched to a differenent phone. Now all my passwords are on drop box and I have to reinstall msecure. The difference now I have to pay $9.99 for it. I am OK paying a couple of dollars for an app but 10 is a bit too much. msecure opened up for free. Once you get hooked using them and you switch to a different device you have to pay the fee. I feel this practice is unethical. I would rather pay up front for an app and know that they will not hit me with more fees down the road. What a scam.. I will try last pass or 1password next.

LastPass does store your files locally, technically. It only stores the salted hashes at its servers but it does all the encrypting and decrypting on your computer (very small process).. And even when the files are stored locally on your computer they are still encrypted as opposed to having to download another third party app like TrueCrypt as you mentioned in your article..also the passwords are synced to almost any device you can touch.. from Windows to HP WebOS!
Plus you don’t have to manually sync them with Dropbox…
You decide..1Password or LastPass?

Jonathan Nelson

I feel like the author doesn’t understand how LastPass works. Not to say anything bad about 1Password, I think they do everything right. I know I am resurrecting an old thread, but nobody makes this point. LastPass only stores an encrypted blob on their servers. When you log in that blob is downloaded and decrypted with your password, a password that is never uploaded to LastPass. Anybody who hacks the servers gets a blob that is worthless unless you use a weak key. LastPass will let you download and store the blob locally (or in Dropbox if you want) as well, though this is just for security and data protection measures.

I have also seen LastPass customer support raise the alarm when a server showed more data than they could account for, a possible sign of a break-in.

All in all, I will continue to use LastPass. I trust them and think they know where their towel is.

Ufupuw

What a nonsensical article. He is not comfortable with online storage of lastpass, but then he recommends using Dropbox with 1password, contradicting himself.

The other problem with his theory is that he says he is not comfortable with online storage, but he has his 1password on a computer with internet connection. That makes it by default online! You will need to keep it on the computer with no internet access if you are so paranoid person.

Oops! So, if you have a Mac plus Windows running in VMFusion or Parallels, you need TWO licenses. You pay twice. Now if you have more PCs (windows or Macs or iPads, or Androids or iPhones, you’ll pay for each license on those, too! With Lastpass, you pay a subscription but ONE price pays for all using the premium version. Dropbox is nice but no more secure than Lastpass. I’ll stick with Lastpass.

James

I think the writer and many of the commenters here are under a false impression with LastPass. Your data is not accessible to LastPass. Your passwords are encrypted locally – on your machine – prior to being sent to LastPass’ servers. What LastPass has is a bunch of heavily encrypted gobbledygook that is useless to anyone that does not have your decryption key (hence them telling you to make damned sure you don’t forget your master password as without they cannot help you, however much they want to).

There is obviously a nominal security decrease in having these things stored by a third party, but it’s hard to see it as any meaningful concern when you understand how LastPass’ system works. A similar system, in broad strokes, is used for Bitcoin. Some people have lost millions of pounds because they lost their keys and nobody alive was able to recover the data those keys unlock however much they wanted to.

NIBB

But this is what most people misunderstand. Hackers don’t need your encryption passwords or hack them, all they need is access to LastPass servers. They have to maintain a user database, with your information related to your account, they have too in order to provide support, billing, etc. And if your passwords are offline in your system how exactly do you think it works on all devices? That is right, it transfers them from one device to the others again using their service.

All someone needs to do is hack their side and trick your account, LastPass then retrieve the encryption from your local systems remotely using their service, and they already have your master password because you enter it on their service. The minute your account and data has to connect to them to work, that alone is its weakest point and vector of attack. Not to mention it runs in your browser, double vector of attack. LastPass was hacked before, do your research, even if they deny this, the concepts where able to pull data out of a user account and steal the passwords of that attacked system. Even if it was not a direct attack on LastPass the result was the same, they could access the data by attacking the browser.

If they really where not storing anything on their side and your service could work without establishing connections to them, then it would mean you don’t need their service in the first place. It’s a service, so attackers are going to attack them, not you. Once they have control on them, they can do what ever they like with users, from sending malicious updates so tricking them to give them the master passwords to getting their data once connected.

Carl

I think you are mistaken re how Lastpass works. They don’t store or know your master password. It never leaves your PC. Your master password is used to encrypt the password store, which is then uploaded to Lastpass. Without the master key the blob of encrypted data is totally useless to anyone including Lastpass themselves. You can also store your password database locally so you have offline access too. I have no preference. I just wanted to put the record straight.